Researchers Found Fleeceware in 32 iOS Apps Installed by 3.5 Million Users
Information security terminology is an absolute nightmare. As things stand, there are far too many terms floating around, and the definitions are often quite fuzzy. Despite this, the infosec lingo expands further, with new words being coined on a regular basis. That being said, the online threat landscape is so dynamic, and the schemes that cybercriminals devise are so diverse, that sometimes, the experts have no other choice but to invent new words to describe the latest online scams. Last year, for example, researchers from Sophos came up with the term 'fleeceware' when they examined a group of apps that were generating revenues in a somewhat dishonest way.
Table of Contents
What is fleeceware?
The term relates primarily to mobile applications, which, in most cases, promise simple functionality like the ability to scan QR codes or read the daily horoscope. We're talking about apps that are published on the official app stores, and more often than not, they attract traffic and installations through paid advertisements.
On the face of it, the app is free, but in fact, it offers a rather short free trial, after which it automatically switches to a subscription model. The first charge is after the trial is over is made without any interaction from the user, and although this information is available, it's written in an annoyingly fine print and is buried deep in the app's terms of service. Since nobody reads the terms of service, people realize what's happening after they see the automatic charge. Those who want to get their money back need to go through an absurdly complex process that costs them a lot of time and aggravation. Eventually, some give up, and the apps' developers get to keep the cash.
We're not talking about small sums either. The quoted prices don't seem especially massive, but the subscription plans often cover long periods of time, which means that users sometimes find several hundred dollars missing from their accounts. As we'll find out in a minute, it's big business, and Sophos' recent findings show that the developers of this type of apps are not willing to give up on it.
Fleeceware finds its way to iOS’ App Store
The experts uncovered no fewer than 32 iOS apps that were displaying behavior similar to the one described above. Most of the applications are aimed at people who read their horoscope often and want to add effects to their selfies, and they seem to be quite popular. Unlike Google Play, Apple's App Store doesn't display the number of installs each individual app has achieved, but there are third-party services that can provide this sort of data. According to one such service called Sensor Tower, the applications Sophos analyzed have so far been installed by 3.5 million users.
There's nothing to stop this number from growing further, either. When Sophos wrote about their discovery on Wednesday, the apps were still available on the App Store, and the experts argued that this might have something to do with the fact that Apple gets to keep a chunk of every single app purchase that goes through the store.
There is certainly a lot of money at stake. Some of the applications were pretty high on the Top Grossing list, and Sensor Tower has estimated that they have grossed a total of $4.5 million. You can find the complete list of apps in Sophos' report, and if you own an iPhone or an iPad, you might want to look at it carefully.
Fleeceware is a serious problem
As you can see, we're talking about a seriously profitable operation. 3.5 million installs is no mean feat, and it was achieved despite Apple's strict rules on what is and what's not allowed on the App Store. On Google Play, where the approval process is a lot less stringent, the number of affected users could be much bigger. Since the apps appear on the official stores, it's up to users to protect themselves. Thankfully, this shouldn't be too difficult.
In all probability, your smartphone can scan QR codes out of the box, which means that you don't really need a third-party app to do it. When it comes to filters for your selfies and photos, there are a number of widely-used, world-renowned services that give you plenty of features and are much more transparent when it comes to what's free and what's paid. The same goes for your horoscope.
The upshot is, you can easily avoid getting fleeceware on your device if you're more careful with the apps you install on it.
